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(54) Method to provide authorization, a certifying authority, a terminal, a service provider and a 
certificate realizing such a method 



(57) The invention relates to a method for use in a 
telecommunication environment. The method provides 
authorization by a certifying authority (CA) to a service 
provider (SP) whereby the service provider (SP) is al- 
lowed to execute predefined functionality (F) when a 
service is provided by the service provider (SP) to a ter- 
minal (T) of a user. The method includes the step of de- 



livering a certificate (CERT) by the certifying authority 
(CA) to the service provider (SP). Moreover the method 
comprises the step defining in the certificate (CERT) a 
definition of the predefined allowed functionality (F) that 
is part of a global functionality (GF) supported in the tel- 
ecommunication environment. Furthermore the inven- 
tion concerns a certifying authority (CA), a service pro- 
vider (SP) and a terminal (T) to realize the method. 
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Description 

[0001] The present invention relates to a method to 
provide^i£yi orization_a s described in the preamble of 
claim 1, to a certifying authorit y, a terminal, a service 
provid er a nd a certificate realizing such a method as de - 
scribed in the preamble of claim 7. claim 8, claim 9 and 
claim 10 respectively and to a telecommunication net- 
work comprising such a certifying authority, such a ter- 
minal and such a service provider as described in the 
preamble of claim 11. 

[0002] Such a method for use in a telecommunication 
environment to provide authorization by a certifying au- 
thority to a service provider to execute predefined func - 
t ionality in the event when a service is provided by the 
s ervice provider to a terminal of a user , i s already known 
i njheart . Indeed, in such an event the certifying author - 
i ty delivers a certificate to the service provider that p ro- 
vi des the^s eryicep rovideLthe_a u_thorizat ion to execute 
all the_ functionality of the telecommunication environ - 
ment. S uch a certificate is_explained in Xhe JErequently 
asked questions about today's cryptography, version 
4.0' published by RSA laboratories, a division of RSA 
Data Security in 1 998. Herein, the answer to question 
4. 1.3.10. 'What are certificates' describes the object of 
a certificate. Certificates are digital documents attesting 
to the binding of a public key to an individual or other 
entity They allow verification of the claim that a specific 
key does in fact belong to a specific individual. Certifi- 
cates help to prevent someone from using a phony key 
to impersonate someone else. Certificates are typically 
used to generate confidence in the legitimacy of a public 
key In some cases it may be necessary to create a chain 
of certificates, each one certifying the previous one until 
the parties involved are confident in the identity in ques- 
tion. Such a certificate contains a public key and name. 
As commonly used, a certificate also contains an expi- 
ration date, the name of the certifying authority that is- 
sued the certificate and a serial number. Most important- 
ly, it contains the digital signature of the certificate issu- 
er. The most widely accepted format for certificates is 
defined by the ITU-T X.509 international standard. Thus 
certificates can be read or written by any application 
complying with X.509. 

[0003] Another application of certificates is described 
in the WAP WTLS, Version 30-Apr-1998, Wireless Ap- 
plication Protocol, Wireless Transport Layer Security 
specification. Herein the content of such a certificate is 
described at page 57, paragraph 10.5.2 : a version of 
the certificate, the algorithm used to sign the certificate, 
the certification authority who signed the certificate, the 
validity period of the certificate, the owner of the key, the 
type of the key, parameters relevant for the' public key 
and the public key that is being certified. The use of such 
certificates is described now in the following paragraph. 
[0004] A se rvice provider can send a service to a ter - 
m inal of a user. T hese services can contain functions 
that do e.g. call control on the phone whereby any serv- 



ice provider can take over control of the phone e.g. make 
calls and accept or reject calls. In order to prevent ma- 
licious service providers from abusing someone's 
phone, a certificate based authentication system is 

5 used. Only if the service provider can present a certifi- 
cate that is signed by a certifying authority e.g. a tele- 
communication network operator, the service provider 
is allowed access to these dangerous functions. The 
service provider is allowed to use predefined function- 

10 ality when the service is provided by the service provider 
to a terminal of the user. 

[0005] It has to be remarked that the expression 'a 
service is provided by the service provider' means that 
for instance the content of a service is executed by a 
'5 terminal of the user. When such predefined function is 
to be executed by the terminal, first, the terminal controls 
the presence of a signed certificate for the service pro- 
vider. When such certificate is available the function 
might be executed without e.g. any danger for abuse of 
the terminal. 

[0006] A further remark is that a certifying authority 
can be a network operator itself. However, according to 
actual trends, such certifying authority can be a service 
provider itself that provides the service to a network op- 
erator of the management of giving or refusing such cer- 
tificates. 

[0007] Yet, it has to be remarked that the verification 
of the existence of a signed certificate implies different 
steps like a certification process, a certificate distribu- 
tion and validation whereby public key /private key PKI 
algorithms are involved in order to provide a digital sign- 
ing of the certificate. These steps are known steps to a 
person skilled in the art and are therefor not described 
in details here. The aim is the signing of a certificate and 
the fact that this signature can be controlled. 
[0008] A problem outstanding with the existing certif- 
icates is that they are all or nothing solutions. This 
means that a service provider can get access to all func- 
tions or to no function i.e. a certificate is delivered or no 
certificate is delivered by the certifying authority. 
[0009] Such a situation is often not sufficient for a net- 
work operator. Indeed, a network operator can not risk 
that a service provider may eventual by accident disable 
services to some terminals. 

[0010] The problem becomes more clear with the fol- 
lowing example. Presume a situation where a network 
operator trusts some service provider enough to let him 
modify the digital personal telephone book of a user, but 
the network operator does not trust the service provider 
enough to give him access to all functionality i.e. deliv- 
ering a certificate. A solution to this problem is to add 
this function to the public library. This means that the 
network operator allows the use of this function by all 
service providers according to predefined specifications 
e.g. specifying the function in such a way that the user 
is previously asked permission by a service provider to 
add a predefined entry in its telephone book. However, 
in such an event, also service providers that are trusted 
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completely should work with the public function. Other- 
wise, both functions must be created i.e. one public 
function and one non-public function. This is resulting in 
a very complex, resource expensive and still not com- 
pletely satisfying specification. 
[001 1 ] The object of the invention is to provide a meth- 
od to provide authorization by a certifying authority to a 
service provider to execute predefined functionality, 
such as the above known methods, but which does not 
have the above mentioned drawbacks of dividing serv- 
ice providers into trusted or not trusted service provid- 
ers. 

[0012] The invention solves the problem by dividing 
the service providers into more detailed categories by 
giving a service provider access only to well specified 
functionality. This is realized by comprising in the certif- 
icate of a service provider a definition of the predefined 
functionality which is allowed to be executed by the serv- 
ice provider and which is part of the global functionality 
that supports the telecommunication environment. This 
is described by the method of claim 1 and is realized by 
the certifying authority of claim 7, the terminal of claim 
8, the service provider of claim 9 and the certificate of 
claim 1 0 that are included in the telecommunication net- 
work of claim 11. 

[0013] Indeed, by storing detailed information inside 
the certificate that is signed by the certifying authority, 
fine grained access control by the operator is possible. 
This drastically reduces the risk for an operator. In this 
way, a service provider can be allowed to use e.g. a pre- 
defined telephone function on a terminal without being 
able to damage the terminal or the network. 
[001 4] It has to be remarked that according to the prior 
art solutions a terminal controls first the presence of a 
signed certificate before its executes an included func- 
tion of a service provided by a service provider. Accord- 
ing to the present invention, the terminal controls not 
only the presence of a signed contract but also the pres- 
ence of the definition of a predefined function in the 
signed contract before it executes the function in the 
event when a service is provided that includes this func- 
tion. 

[001 5] A drawback of the present invention is howev- 
er that the certificate gets larger by comprising a defini- 
tion of the allowed functionality. A characteristic feature 
that is a solution to this drawback is described in claim 
2. Indeed,' by introducing an hierarchical tree-like struc- 
ture in the organization of the global functionality the 
definition of the predefined allowed functionality can at 
least partly be realized by a definition of a branch of the 
structure. Hereby authorization is provided to prede- 
fined functions of the predefined functionality that are 
related to the branch. In this way also libraries identifiers 
and function identifiers as defined by the wireless mark- 
up script language can be used to be mentioned in order 
to provide authorization for, either one function, all func- 
tions from one library or all functions in ail libraries : e. 
g. enable-all, enable-library-identifier, enable-function- 



identifier. 

[0016] A further improvement of the definition of the 
predefined allowed functionality in the certificate is re- 
alized with claim 3. Herein it is described that the defi- 
5 nition of the predefined functionality is at least partly re- 
alized by a revocation of part of the global functionality. 
This is e.g. implemented by using not only an 'enable' 
function with an allowed function as argument but also 
by using an 'disable' function with a revoked function as 
argument. Herewith, authorization to all functions of a 
library except one can easily be realized by enabling the 
library and disabling the revoked function. 
[0017] A further implementation is described in claim 
4. Herein it is described that the definition of the prede- 
fined functionality comprises definitions of wireless 
mark-up script language. Indeed, such implementation 
takes the advantage of making use of already existing 
and defined functions in a common known scripting lan- 
guage. These functions are described in a specification: 
'Wireless Application Protocol Wireless Markup Lan- 
guage Script WMLScript Language Specifications, ver- 
sion 30 April 1998 published by the WAP Wireless Ap- 
plication Protocol Forum. 

[0018] Another example of existing script language 
functions is provided e.g. by the Javascript language 
functions. ' 

[001 9] Furthermore, as already mentioned above, the 
Wireless Telephony Application Interface libraries are 
organizing wireless mark-up script language functions 
into predefined functions and libraries such as call con- 
trol, sending of short messages or managing a phone 
book. These functions and libraries of the wireless te- 
lephony application functions can also be used to define 
the allowed predefined functionality in the certificate. 
They are specified in the 'Wireless Application Protocol 
Wireless Telephony Application Interface specifications, 
from the WAP forum and published at April 30, 1998. 
This is described in claim 5. 

[0020] Yet the definitions of standard functions of a 
terminal are introduced into the definition of the allowed 
predefined functionality. Indeed, by introducing stand- 
ard functions as specified according to the 'Wireless Ap- 
plication Protocol WMLScript Standard Libraries Spec- 
ifications, published by the WAP Forum at april 30, 1998' 
a service provider is allowed to use this standard func- 
tionality in order to provide e.g. calculator application. 
This is described in claim 6. 

[0021] Finally it has to be remarked that the above 
mentioned WTAI functions as defined above are known 
to a person skilled in the art. These functions are valid 
for common known mobile terminals. However, addi- 
tional functions can be defined in addition to the WTAI 
specifications according to the type of network used. An 
example is provided for a GSM addendum, an IS-136 
(TDMA Time Division Multiple Access Cellular PCS Per- 
sonal Communication System Radio Interface - Mobile 
Station - Base Station - compatibility) addendum and a 
PDC Pacific Digital Cellular addendum for WTAI, which 
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are specified, respectively, in : 

Wireless Application Protocol Wireless Telephony 
application Interface specification, GSM Global 
system for Mobile Telecommunication specific Ad- 
dendum, published by the WAP forum at April 30, 
1998; and 

Wireless Application Protocol Wireless Telephony 
application Interface specification, IS-136 specific 
Addendum, published by the WAP forum at April 30, 
1998; and 

Wireless application Protocol wireless Telephony 
application Interface Specification, PDC specific 
Addendum, published by the WAP forum, April 30, 
1998. 

[0022] It should be noticed that the term 'comprising", 
used in the claim, should not be interpreted as being 
limitative to the means listed thereafter. Thus, the scope 
of the expression "a device comprising means A and B" 
should not be limited to devices consisting only of com- 
ponents A and B. It means that with respect to the 
present invention, the only relevant components of the 
device are A and B. 

[0023] Similarly, it is to be noted that the term "cou- 
pled", also used in the claims, should not be interpreted 
as being limitative to direct connections only. Thus, the 
scope of the expression "a device A coupled to a device 
B M should not be limited to devices or systems wherein 
an output of device A is directly connected to an input 
of device B. It means that their exists a path between 
an output A and an input B which may be a path includ- 
ing other devices or means. 

[0024] The above and other objects and features of 
the invention will become more apparent and the inven- 
tion itself will be best understood by referring to the fol- 
lowing description of an embodiment taken in conjunc- 
tion with the accompanying figure which illustrates a tel- 
ecommunication network. 

[0025] First, the working of the method of the present 
invention will be explained by means of a functional de- 
scription of the functional blocks shown in the figure. 
Based on this description, implementation of the func- 
tional blocks will be obvious to a person skilled in the art 
and will therefor not be described in further detail. In ad- 
dition, the principle working of the method to provide au- 
thorization will be described. 

[0026] Referring to the figure a telecommunication 
environment is shown. The telecommunication environ- 
ment comprises a certifying authority CA, a terminal T 
of a user and a service provider SP. 
[0027] Thj^certif yjng authorit y_gAjs^oy pled via a tel- 
ecommunication network to the serv ice provider SP an d 
to'th' e'teTminal T Also the seryic e_proyid er SP and the 
teTmi nal T are coupled to each other via the telecommu - 
nication net work. H o wever, in orde r_not_to,oyerload.the_ 
Figure, this tele communic ation net wplkjsJaj he Fj gure 
only sftown in a sim ple wa y of inputs and outputs of the 



different included elements. Furthermore it has to be un- 
derstood that it is clear to a person skilled in the art that 
such a telecommunication network includes more than 
one service provider SP, more than one terminal T and 
5 even might include more than one certifying authority. 
Since the invention can be explained only by mentioning 
the different above elements more elements are not 
shown in the figure. 

[0028] The certifying authority CA comprises a decid- * 

io er DEC and an including means INC coupled thereto. 
The decider DEC is coupled between an input of the cer- 
tifying authority CA and the including means INC. The 
including means INC is on its turn coupled to an output 
of the certifying authority CA. 

is [0029] The decider DEC is included to decide whether 
the service provider SP is entitled to execute at least 
part of the global functionality GF' of the telecommuni- 
cation environment. In order to make this decision the 
decider DEC makes use of predefined information. This 

20 information can be implemented by means of a memory 
e.g. a database that keeps track of the different service 
providers and its allowed functionality. On the other 
hand an operator of the certifying authority CA might 
give an input in order to provide the predefined informa- 

2S tion only in the event when the question arises. The de- 
cider DEC is enabled to make decisions regarding the 
global functionality of the telecommunication environ- 
ment according to predefined rules and conditions. This 
means that eventual e.g. for part of the global f unction- 

30 ality GF the question never arises since the involved net- 
work operator prefers to keep this part only for its own 
purposes. On the other hand, the decider DEC is able 
to take requests of the service providers into account. 
In this way the decider DEC is enabled to make only a 

35 decision for the requested functionality by a service pro- 
vider SP and saves hereby processing time. The decid- 
er DEC provides a result of its decision that is the al- 
lowed functionality F. The allowed functionality is pro- 
vided by the decider DEC to the including means INC. 

40 [0030] The including means INC comprises the al- 
lowed functionality F into the certificate CERT. Accord- 
ing to this preferred embodiment this is realized with 
three predetermined functions: enable, disable and all. 
The inclusion means INC uses these predetermined 

45 functions upon the list of global functionality GF. The glo- 
bal functionality GF is organized in an hierarchical tree- 
like structure. The structure comprises libraries i.e. the 
branches of the tree and functions i.e. the ends of the 
branches. The libraries and the functions are used as 

50 the arguments of the predetermined functions. In this 
way, the including means INC is enabled to comprise 
the resutt of the decider DEC in a clear and concise way 
into the certificate CERT. The certificate is transmitted 
to the service provider SP but is also transmitted to other 

55 locations into the network. Indeed, it has to be explained 
that, as it is known to a person skilled in the art, these 
certificates might be consulted on predefined public lo- 
cations in the telecommunication environment. 
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[0031 ] The service provider SP comprises a transmit- 
ter TRX. The transmitter is coupled to an output of the 
service provider SR The transmitter TRX is included to 
transmit a request REQ(GF') of the service provider SP 
that includes a definition of the functionality where for 
the service provider SP desires access. 
[0032] This request REQ(GF') is transmitted to the 
certifying authority CA. As it is known to a person skilled 
in the art, a service provider SP also receives a re- 
sponse of the certifying authority CA. In the event when 
the service provider SP is allowed to receive a certificate 
CERT, the certificate includes according to the present 
invention a definition of the allowed functionality F. 
[0033] The terminal T comprises a processor P. The 
processor is included to verify the presence and the con- 
tent of a certificate. Indeed, in the event when a user 
desires to use a service SERV of the service provider 
SP and this service comprises the execution of a pre- 
defined function f1, the certificate CERT will first be 
checked upon the authorization of this execution. There- 
for the certificate CERT is extracted from the predefined 
location in the network. This checking might be per- 
formed at the moment when the service SERV is being 
provided but might be as well executed in advance. In- 
deed, it is possible that the user used this service SERV 
some time ago and that the certificate was already 
checked by that time. In this way, the result might still 
be stored in a cache of the terminal T On the other hand, 
it might as well be the content of the certificate that is 
still stored in a cache of the terminal T whereby the cer- 
tificate CERT(F) does not need to be extracted from a 
predefined location in the network anymore. 
[0034] The processor P provides hereby a result OK/ 
NOK that authorizes or revokes, respectively, the ac- 
cess to the function f1 whilst the service SERV is exe- 
cuted. 

[0035] The following paragraph describes the princi- 
ple working of the present invention. 
[0036] Presume a situation wherein the service pro- 
vider SP wants to provide a service SERV that compris- 
es the function f1 call set-up. The service provider SP 
never provided such a service SERV that includes this 
functionality, so the service provider SP first has to get 
to permission to access the call set-up function of a ter- 
minal T. The service provider SP transmits a request 
REQ with its transmitter TRX to the certifying authority 
CA. For this particular embodiment it is preferred to work 
with a certifying authority CA that only takes into account 
the requested functions. In this way the certifying au- 
thority saves processing time. Thus, the service provid- 
er SP comprises in its request the required functionality 
GF' i.e. the call set-up function f1 . The certifying author- 
ity CA receives the request from the service provider SP 
and decides by means of its decider DEC whether the 
authorization is allowed. The decider DEC takes here 
for predefined information INF into account. According 
to this predefined information INF the service provider 
SP is a trustable service provider and is allowed by the 



decider DEC to execute the call set-up function when 
providing a service SERV to a user. The decider pro- 
vides this result to the including means INC. The includ- 
ing means I NC comprises this result into a prepared cer- 
5 tificate CERT for the service provider SERV. The includ- 
ing means INC uses the enable predetermined function 
in order to provide authorization to the functionality re- 
lated to the call set-up function f1 . The definition be- 
comes: enable-library(WTAI.WTAcall--handling). The 
10 certificate is provided by the certifying authority CA to 
the service provider SP and is also distributed into the 
network towards a predefined location. 
[0037] In the event when a user desires to make use 
of the service SERV of the service provider SP, at a cer- 
'5 tain moment during execution of the different steps of 
the service SERV the terminal T will be requested to ex- 
ecute the function f 1 call set-up function. In stead of ex- 
ecuting this functionality immediately the terminal T will 
request for the existence of a certificate CERT(F) from 
the service provider SP. Since the terminal can find the 
certificate CERT at the predefined location into the net- 
work, the terminal T will download the certificate CERT. 
Whilst the certificate CERT is controlled upon its signa- 
ture it will also be checked by the processor P of the 
terminal T upon the definitions of the allowed function- 
ality F. Since the certificate CERT of the service provider 
indeed comprises the definition of the call set-up func- 
tionality F, the execution of the function f 1 call set-up is 
allowed. This result is stored in a cache of the terminal 
T and the terminal T proceeds the execution of the de- 
sired service SERV by executing the call-set up function 
ft. 

[0038] While the principles of the invention have been 
described above in connection with specific apparatus, 
it is to be clearly understood that this description is made 
only by way of example and not as a limitation on the 
scope of the invention, as defined in the appended 
claims. 
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Claims 

1. A method for use in a telecommunication environ- 
ment to provide authorization by a certifying author- 

45 ity (CA) to a service provider (SP) to execute pre- 
defined functionality (F) when a service is provided 
by said service provider (SP) to a terminal (T) of a 
user, said method includes the step of delivering a 
certificate (CERT), characterized in that said meth- 

50 od further comprises the step of comprising in said 
certificate (CERT) a definition of said predefined 
functionality (F), said predefined functionality (F) 
being part of a global functionality (GF) supported 
in said telecommunication environment. 

55 

2. The method according to claim 1, characterized in 
that said global functionality (GF) is organized ac- 
cording to a hie rarchical tree -like structure and that 
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at least partly realized by a definition of a branch_of 
saia r structure whereby autho nzat ion is provided to 
pTeciefined functions of said predefinedfun ctionalit y 
( F) that are related to said branch. 

3. The method according to anyone of the previous 
claims, characterized in jhat said definition of said 
predefined functionality (F) being at least partly re- 
alized by a revocation of part of said global func- 
tionality (GF). 

4. The method according to anyone of the previous 
claims, characterized in that said definition of said 
predefined functionality (F) comprises definitions of 
wireless markup script language. 

5. The method according to anyone of the previous 
claims, characterized in that said definition of said 
predefined functionality (F) comprises definitions of 
wireless application protocol wireless telephony ap- 
plication functions. 

6. The method according to anyone of the previous 
claims, characterized in that said definition of said 
predefined functionality (F) comprises definitions of 
wireless application protocol wireless markup lan- 
guage script standard functions. 

7. A certifying authority (CA) to realize the method ac- 
cording to any one of claim 1 to claim 6, character- 
ized in that said certifying authority (CA) comprises 
decision means (DEC) to decide according to pre- 
defined information (INF) whether said service pro- 
vider (SP) is entitled to execute at least part of said 
global functionality (GF 1 ) and to provide thereby an 
allowed functionality (F), and inclusion means (INC) 
coupled thereto to include in said certificate (CERT) 
a definition of said allowed functionality (F), said al- 
lowed functionality (F) being constituted by said 
predefined functionality (F). 

8. A terminal (T) to realize the method according to 
any one of claim 1 to claim 6 characterized in that 
said terminal (T) comprises processing means (P) 
to check said certificate (CERT) upon a presence 
of a definition of a function (f1 ) of said global func- 
tionality (GB) before execution of said function (f1) 
and to provide thereby any one of authorization and 
revocation of the execution of said function (f1) by 
said service provider (SP) in the event when said 
service (SERV) is provided by said service provider 
(SP) to said terminal (T). 

9. A service provider (SP) to realize the method ac- 
cording to any one of claim 1 to claim 6, character- 
ized in that said service provider (SP) comprises 
transmitting means (TRX) to forward a request 



(REQ) to said certifying authority (CA) in order to 
receive said authorization, said request (REQ) 
comprises a definition of at least part of said global 
functionality (GF'). 

5 

10. A certificate (CERT) to realize the method accord- 
ing to any one of claim 1 to claim 6, characterized 
in that said certificate (CERT) comprises a definition 
of said predefined functionality (F) being part of a 

J0 global functionality (GF) supported in said telecom- 
munication environment. 

11. A telecommunication network characterized in that 
said telecommunication network comprises any 

'5 one of a certifying authority (CA), a terminal (T) and 
a service provider (SP) according to claim 7, claim 
8 and claim 9, respectively. 
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